[wp-trac] [WordPress Trac] #21022: Allow bcrypt to be enabled via filter for pass hashing

WordPress Trac noreply at wordpress.org
Tue Nov 21 13:49:36 UTC 2017 

#21022: Allow bcrypt to be enabled via filter for pass hashing
-------------------------------------------------+-------------------------
 Reporter:  th23                                 |       Owner:
     Type:  enhancement                          |      Status:  new
 Priority:  normal                               |   Milestone:  Future
Component:  Security                             |  Release
 Severity:  normal                               |     Version:  3.4
 Keywords:  2nd-opinion has-patch needs-testing  |  Resolution:
  5.0-early                                      |     Focuses:
-------------------------------------------------+-------------------------
Changes (by my1xt):

 * keywords:  2nd-opinion has-patch needs-testing 4.9-early => 2nd-opinion
     has-patch needs-testing 5.0-early


Comment:

 so 4.9 has release a while ago and of course nothing happened.

 version 5.0 is scheduled for 2018, and adding a new full version means
 that we also could break some things and considering we get many years of
 security updates even for very old versions, 3.7 even recieved the update
 on the end of october marking a support time for greater than 4 years,
 even though it is used just about 0.3% which isnt bad, and I would think
 if 4 gets similarly lengthy security updates then I think there's no
 problem to go around breaking stuff on the next major version.

 also we still have almost 25% running around on 4.5 or less meaning they
 are still on a minor from 1 and a half years ago, and they havent bothered
 updating to a new one. the stats dont show the patchlevel but unless auto
 updates have been enabled on those, chances are they never recieved any
 update ever

 also small other thing. once 5.0 releases (march 2018 in the earliest
 considering they run about 4 months per update, though chances are it's
 more because it's a major) even PHP 5.6 will have less than a year to live
 and the same for 7.0. At the end of this month PHP 7.2 will release and
 WP5 should really embrace it by for example allowing the user to use
 argon2 for passwords.

 I honestly dont think it's good in the long run to have a CVE lying around
 in wordpress for (from the point of WP5.0 release) almost or even more
 than 6 years, this can seriously affect the reputation at least in the set
 of people who know IT stuff at least a bit.

 and while the following idea is crazy and I know it, if we REALLY want to
 keep way too old PHP versions alive we should at least switch from MD5 to
 SHA-1 or if old PHP can work with it, a SHA2 algorithm, and while SHA1 has
 been Shattered already, it IS less than half as fast as MD5. on a set of 8
 GTX1080 MD5 gets over a massive 200 Billion hashes per second. a single
 overcloecked 1080TI puts in almost 34 Billion hashes, so using 8 of these
 gets almost 272 Billion hashes. an 8 character completely random password
 (of all the 94 print-ascii chars) gets us about 6 HOURS in the worst case,
 considering that most passwords arent random chances are they are broken
 rather quickly. and while a 10 char password may still take around 6 years
 on this setup,speeds are only increasing and we are just on GPUs. imagine
 throwing ASICs into the mix, this is getting crazy and something really
 needs to be done.

 by the way I axed the 4.9-early tag because 4.9 has been released and that
 tag wont help anyone anymore.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:95>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list